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Abstract 



^ ■ We present a tableau-based algorithm for deciding satisfiability for propositional dynamic logic {PDL) 

, ^ 1 which builds a finite rooted tree with ancestor loops and passes extra information from children to par- 

^^ ■ ents to separate good loops from bad loops during backtracking. It is easy to implement, with potential for 

parallelisation, because it constructs a pseudo-model "on the fly" by exploring each tableau branch indepen- 
dently. But its worst-case behaviour is 2EXPTIME rather than EXPTIME. A prototype implementation 
in the TWB (http://twb.rsise.anu.edu.au) is available. 
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1 Introduction 



Prepositional dynamic logic [PDL) is a logic for reasoning about programs [14,8]. 
C^ \ Its formulae consist of traditional Boolean formulae plus "action modalities" 

built from a finite set of atomic programs using sequential composition (;), non- 
deterministic choice (U), repetition (*), and test (?). The satisfiability problem 
for PDL is EXPTIME-complete [15]. Unhke EXPTIME-complete description log- 
ics with algorithms exhibiting good average-case behaviour, no decision procedures 
for PDL-satisfiability are satisfactory from both a theoretical (soundness and com- 
pleteness) and practical (average case behaviour) viewpoint as we explain below. 

The earliest decision procedures for PDL are due to Fischer and Ladner [8] and 
Pratt [15]. Fischer and Ladner 's method is impractical because it first constructs 
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the set of all consistent subsets of the set of all subforniulae of the given formula, 
which always requires exponential time in all cases. On the other hand, Pratt [15] 
essentially builds a multi-pass (explained shortly) tableau method. Most subsequent 
decision procedures for other fix-point logics like propositional linear temporal logic 
(PLTL) [18], computation tree logic (CTL) [4,7] and the modal /_i-calculus [13] trace 
back to Pratt [15], and they all share one main disadvantage as explained next. 

In these multi-pass procedures, a "state" is a node which contains only diamond- 
like-formulae ("eventualities"), box-like-formulae, atoms and negated atoms. The 
first pass constructs a rooted tableau of nodes containing formula-sets, but allows 
cross-branch arcs from a state n on one branch to a (previously constructed) state m 
on a different branch if applying the tableau construction to n would duplicate m. 
Thus the first pass constructs a "pseudo-model" which is a potentially exponential- 
sized cyclic graph (rather than a cyclic tree where m would have to be an ancestor 
of n). The subsequent passes check that the "pseudo- model" is a real model by 
pruning inconsistent nodes and pruning nodes containing "unfulfilled eventualities" . 

Although efficient model-checking techniques can check the "pseudo-model" 
in time which is linear in its size, these multi-pass methods can construct an 
exponential-sized cyclic graph needlessly. One solution is to check for fulfilled even- 
tualities "on the fiy", as the graph is built, and although such methods exist for 
model-checking [6,5], we know of no such decision procedures for PDL. The only 
implementation of a multiple-pass method for PDL that we know of is in LoTRec 
(www.irit.fr/Lotrec) but it is not optimal as it treats disjunctions naively. 

Baader [3] gave a single-pass tableau-based decision procedure for a description 
logic with role definitions involving union, composition and transitive closure of 
roles: essentially PDL without test. His method constructs a (cyclic tree) tableau 
using the semantics of the PDL operators. To separate "good loops" from "bad 
loops" , Baader must decide equality of regular languages, a PSPACE-complete prob- 
lem which in practice may require exponential time. Instead of solving these prob- 
lems "on the fiy" , they can be reduced to a simple check on the identity of states 
in a deterministic minimal automaton created from the positive regular expres- 
sions appearing in the initial formula during a pre-processing stage [3, page 27]. 
But since the pre-computed automaton can be of exponential size, this alternative 
may require exponential time needlessly. Baader's method is double-exponential 
in the worst-case. The "test" construct is essential to express "while" loops but 
creates a mutual recursion between the Boolean language and the regular lan- 
guage. It is not obvious to us how to extend Baader's method to "test". DLP 
(http://www.cs.bell-labs.com/cin/cs/who/pfps/dlp) implements this method 
restricted to test-free formulae where * applies only to atomic programs. 

De Giacomo and Massacci [9] gave an optimal PL'L-satisfiability test using 
labelled formulae like a : ip io capture that "possible world a makes formula ip 
true" . They first give a NEXPTIME algorithm for deciding PZ?L-satisfiability and 
then discuss ways to obtain an EXPTIME version using various known results. But 
an actual EXPTIME algorithm, and its soundness and completeness proofs, are not 
given. A deterministic implementation of their NEXPTIME algorithm by Schmidt 
and Tishkovsky struck problems with nested stars, but a solution is forthcoming [16] . 

Other decision procedures for fix-point logics use resolution calculi, translation 
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methods, automata-theoretic methods, and game theoretic methods: see [1] for 
references. We know of no implementations for PDL based on these methods. 

Here, we give a sound, complete and terminating decision procedure for PDL 
with the following advantages and disadvantages: 

One-pass nature: our method constructs a single-rooted finite tree (with loops from 
leaves to ancestors). As there are no cross-branch edges, we can use depth- first, 
left-to-right search, reclaiming the space used for each branch via backtracking. 

Proofs: Full elementary proofs of soundness and completeness are available. 

Ease of implementation: our rules are easy to implement since our tableau nodes 
contain sets of formulae and some easily defined extra information whose manip- 
ulation requires only set intersection, set membership, and min/max on integers. 
But these low-level details make the rules cumbersome to describe. 

Potential for optimisation: there is potential to optimise our (tree) tableaux using 
successful techniques from (one-pass) tableaux for description logics [11]. 

Ease of generating counter-models: the soundness proof immediately gives an effec- 
tive procedure for turning an "open" tableau into a PDL-model. 

Ease of generating proofs: unlike existing Gentzen calculi for fix-point logics [2,12], 
our tableau calculus gives a cut-free Gentzen-style calculus with "cyclic proofs" 
with an optimal rather than worst-case bound for the finitised omega rule. 

Potential for parallelisation: our rules build the branches independently but com- 
bine their results during backtracking, enabling a parallel implementation. 

Prototype: a (sequential) prototype implementation in the Tableau Work Bench 
(twb.rsise.anu.edu.au) allows to test arbitrary PDL formulae over the web. 

Complexity: our method has worst-case double-exponential time complexity. 

Generality: Our method for PDL fits into a class of similar "one pass" methods for 
other fix-point logics like PLTL [17] and CTL [1]. Further experimental work is 
required to determine if our methods can be optimised to exhibit good average- 
case behaviour using techniques like sound global caching [10]. 

2 Syntax, Semantics and Hintikka Structures 

Definition 2.1 Let AFml and APrg be two disjoint and countably infinite sets of 
propositional atoms and atomic programs, respectively. The set Fml of all formulae 
and the set Prg of all programs are defined inductively as follows: 

(i) AFml C Fml and APrg C Prg 

(ii) if (/3, ■0 £ Fml then -193 E Fml and 93 A € Fml and ip\/ ip ^ Fml and ipl € Prg 

(iii) if 99 € Fml and a G Prg then {a)(p G Fml and [a\ip € Fml 

(iv) if a G Prg and (3 G Prg then (a; 0) G Prg and a U /? G Prg and a* G Prg. 

Let p, q range over members of AFml and a, b range over members of APrg. A 
()-formula is any formula (a)c^, a {c^-ioxva\Aa is a ()-formula (a)(/J with a ^ APrg, 
and a (*)-formula is any formula {a*)ip. Fml() is the set of all ()-formulae, Fml (9;) 
is the set of all {(/)-forumla, and Fml(*) is the set of all (*)-formulae. 
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Table 1 
SmuUyan's a- and /3-notation to classify formulae 
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Definition 2.2 A transition frame is a pair (W, R) where W^ is a non-empty set of 
worlds and R a function tliat maps each atomic program a to a binary relation Ra 
over W. A model {W, R, V) is a transition frame (W, R) and a valuation function V : 
AFml —f 2 mapping each atomic proposition p to a set V{p) of worlds. 

Definition 2.3 Let M = (W, R, V) be a model. The functions tm ■ Fml -^ 2^ 
and pm ■ Prg — > 2^^^ are defined inductively as follows: 



tm{p) ■■= V{p) PM{a) ■■= Ra tm{^^) ■.= W\ tm{v) 

tm{^ a ip) := tm{^p) n TAf (^) tm{^P V ip) := tm{'p) U Tui'tp) 

TM{[a]'-p) := {w\Mv e W. {'w,v) G puia) =^ v e ta./(v?)} 

TMi{a)<f) ■■= {w \3v e W. {w,v) G pnia) kv e TMi^)} 

PM{a U /?) := pM{a) U Pm{P) Pm{v'^) ■= {{w, w) \ w e TM^tp)} 

PM{a;P) := {{w,v) \3ueW. {w,u) € PA/(a) & {u,v) G /Oa/(/?)} 
/9m (a*) := {(""^1 ^) I 3/c G N.Bwqj • • • , Wfc € ^- {wq = w k Wk = v k 
Vi G {0, . . . , /c - 1}. (-Wj, -ujj+i) G PMia)) } 

For w (^W and 99 G Fml, we write M, w \\- (p iS w ^ tm{'p)- 

Definition 2.4 Formula p G Fml is satisfiahle iff there is a model M = {W, R, V) 
and aw(zW such that M, w Ih y?. Formula p) G Fml is ua/id iff ^tp is not satisfiable. 

Definition 2.5 Formula y? G Fml is in negation normal form if -• appears only 
immediately before propositional atoms. For every p G Fml, we obtain a for- 
mula nnf((/?) in negation normal form by pushing negations inward repeatedly {e.g. 
using de Morgan's laws) so 93 ^-> nnf(99) is valid. We define ~(/3 := nnf(-i93). 

We use SmuUyan's Q;//3-notation to categorise formulae via Table 1 and use 
holding to differentiate it from the use of a and /3 as members of Prg. So if a (re- 
spectively /3) is any formula pattern in the first row then cti and CX2 (respectively Pi 
and P2) ^^^ its corresponding patterns in the second and third row. 

Proposition 2.6 All formulae ct <-> Qi Act2 and f3 <-^ f3iV (32 ^^ Table 1 are valid. 

4 
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Definition 2.7 A structure {W,R,L) [for ip £ Fml] is a transition frame {W,R) 
and a labelling function L : W ^ 2^™' which associates with each world w £ W a 
set L{w) of formulae [and has f G L{v) for some world v € W]. 

Definition 2.8 For a given (p G Fml the (infinite) set pre((^) is defined as: 

pre(99) := {ip G Fml \3k eN.Bai, . . . ,ak £ Prg. ip = (ai) . . . {ak)ip} . 

For all formulae (p and ^, the binary relation -w on formulae is defined as: (p -^ ip 
iff (exactly) one of the following conditions is true: 

• 3x £ Fml3a,(3£ Prg. ip = {a;(3)x & V- = {a){P)x 

• 3x € Fml. 3a, f3 £ Prg. 99 = (a U /?)x & (V' = (a)x or ^ = (/3)x) 

• 3x € Fml. 3a G Prg. if = {a*)x & (^ = X or ^ = {a){a*)x) 

• 3x, (/) G Fml. (/? = {(l)7)x & V = X • 

Intuitively, using Table 1, the "-^" relates a ((a(')-formulae ct (respectively /3), 
to Oil (respectively Pi and (32) while pre((/?) captures that {a*)ip can be "reduced" 
to {a){a*)ip, which can be reduced to (ai) . . . {ak){a*)ip. Note that ip £ pTe{ip). 

Definition 2.9 Let H = (W, R, L) be a structure, 99 £ Fml a formula, (3 £ Prg 
a program, and w G VF a state. A fulfilling chain for {ip, /?, w) in H is a finite 
sequence {wo,^po), . . . , {wn-.'pn) of world-formula pairs with ?i > such that: 

• Wi £ W, ipi £ pice{ip), and ipi £ L{wi) for all < i < n 

• Wo = w, ipo = {I3)ip, ipn = V; ^nd V'i 7^ V^ for all < i < n — 1 

• for all < i < n — 1, if -04 = {a)x for some a £ APrg and x S Fml then V'j+i = X 
and Wi Ra tfj+i; otherwise ^j ^^ -(/'j+i and Wi = Wi^i. 

Each ■(/'j is in L{wi), the chain starts at {wo,{(3)ip), ends at {wn,ip), and no 
other Wj is paired with ip. Formulae VijV'j+i are ---^-related and corresponding 
worlds Wi, Wi+i are equal unless ipi = {a)x, in which case V'i+i = X and Wi Ra Wi+i. 
Thus eventuality {P)ip £ wq is fulfilled hy ip £ Wn and if;^ is /3-reachable from wq. 

Definition 2.10 A pre-Hintikka structure H = {W,R,L) [for ip £ Fml] is a struc- 
ture [for ip] that satisfies H1-H5 (below) for every w £ W where ex. and /3 are 
formulae as defined in Table 1. A Hintikka structure H = {W,R,L) [for ip £ Fml] 
is a pre-Hintikka structure [for ip] that additionally satisfies H6 below: 

HI : -ip G L{w) ^ p ^ L{w) 

H2 : a G L{;w) ^ cxi £ L{w) k a2 £ L{w) 

H3 : /3 G L{w) => (3i £ L{w) or /^g G L{w) 

H4 : {a)ip £ L{w) => 3v £W.w RaV k. ip £ L{v) 

H5 : [a]ip £ L{w) => \/v £W.wRaV => ip £ L{v) 

H6 : {a*)ip £ L{w) =^ there exists a fulfilling chain for (ip,a*,w) in H . 
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H3 "locally unwinds" the fix-point semantics of {a*)(p, but does not guarantee 
a least fix-point which requires ip be true eventually. H6 "globally" ensures all 
(*)-forniulae are fulfilled. H2 captures the greatest fix-point semantics of [a*]c^. 

Theorem 2.11 A formula ip G Fml in negation normal form is satisfiable iff there 
exists a Hintikka structure for ip. 

3 An Overview of the Algorithm 

To track unfulfilled eventualities and to avoid "at a world" cycles, our algorithm 
stores additional information in each tableau node using histories and variables [17]. 
Histories are passed from parents to children and variables from children to parents. 

Our algorithm starts at a root containing a given formula (j) and some default 
history values. It builds a tree by repeatedly applying a-//3-rules to decompose 
formulae via the semantics of PDL. The /3-rule for {a*)<p has a left child that 
fulfils this eventuality by reducing it to (p, and a right child that procrastinates 
fulfilment by "reducing" it to {a){a*)ip. The rules modify the histories and variables 
as appropriate for their intended purpose. 

But naive application of the cx-/f3-rules to formulae like {a * *)ip with nested 
stars can lead to "at a world" cycles: e.g. (a * *)ip, ■ ■ ■ , (a*) {a * *)ip, • • • , (a * *)'p>. A 
solution is to use the histories to reduce one particular (a)-formula until a becomes 
atomic by forcing the rules to concentrate on this task, and to block previously 
reduced diamonds and boxes if they lead to "at a world" cycles. The application 
of Q;//3-rules stops when all non-blocked leaves contain only atoms, negated atoms, 
and all ()-formulae and all []-formulae begin with outermost atomic programs only. 

For each such leaf node I, and for each (a).^-formula in I, the ()-rule creates a 
successor node containing {^} U A, where A = {ip \ [altp G I}. These successors 
are then saturated to produce new leaves using the a- and /3-rules, and the ()-rule 
creates the successors of these new leaves, and so on. 

If left unchecked, this procedure can produce infinite branches since the same 
successors can be created again and again on the same branch. To obtain termina- 
tion, the ()-rule creates a successor containing {^} U A for / only if this successor 
has not already been created previously higher up on the current branch. 

So if the successor {^} U A exists already, the current branch is "blocked" from 
re-creating it. The resulting loop may be "bad" since every /3-node on this branch 
for an eventuality {a*)(p may procrastinate, so {a*)ip is never fulfilled. To track 
this potentially unfulfilled eventuality, we assign the height of the blocking node to 
the pair (^, (a*)^) via a variable uev as long as .^ is a decomposition of {a*)ip. 

During backtracking, our rules "merge" the uev entries of the children and also 
modify the resulting uev to reverse-track the decomposition of {a*)ip. In particular, 
a uev entry becomes undefined at a node if the eventuality it tracks can be fulfilled in 
the sub-tableau rooted at this node. Conversely, if a node at height h receives a uev 
entry with value at least h then the eventuality tracked by this uev entry definitely 
cannot be fulfilled, so the parent of this (blocking) node is then unsatisfiable. 

Whether or not the initial formula (j) is satisfiable is determined by the status 
of the root node. Due to technicalities caused by "at a world" cycles, the status 

6 
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can be one of the values "unsatisfiable" , "open" or "barred" (to be explained later). 
The initial formula (j) is PDL-satisfiable iff the status of the root node is "open" . 

4 A One-pass Tableau Algorithm for PDL 

Definition 4.1 A tableau node x is of the form (F :: HCr, Nx, BD,BB :: stat,uev) 
where: T is a set of formulae; HCr is a list of pairs {ip, A) where A is a set of 
formulae and (^ G A; Nx is either ± or a formula designated to be the principal 
formula of the rule applied to x; BD is the set of "Blocked Diamonds" ; BB is the set 
of "Blocked Boxes"; stat has one of the values unsat, open, or barred; and uev is 
a partial function from Fml() x Fml(*) to N>o (the positive natural numbers). 

Definition 4.2 A tableau for a formula set F C Fml and histories HCr, Nx, BD, 
and BB is a tree of tableau nodes with root (F :: HCr, Nx, BD,BB :: stat, uev) 
where the children of a node x are obtained by a single application of a rule to x 
(i.e. only one rule can be applied to a node) but where the parent can inherit some 
information from the children. A tableau is expanded if no rules can be applied to 
any of its leaves. On any branch of a tableau, a node t is an ancestor of a node s 
iff t lies above s on the unique path from the root down to s. 

The list HCr is a history for detecting ancestor-loops and guarantees termination. 
The choice of principal formula is free if Nx = _L, but is pre-determined as the 
formula in Nx otherwise. When a diamond formula in the parent is decomposed to 
give a formula ip G Fuil{g^ in the current node, we set the Nx-value of the child to 
if to ensure that (p is decomposed next. Together with the histories BD and BB, 
this allows us to block (a*)-formulae and [a*]-formulae from creating "at a world" 
cycles. The variables stat and uev have their values determined by the children of a 
node. Formally, stat = unsat at node x if x is definitely unsatisfiable. Informally, 
stat = barred if all descendants of node x are unsatisfiable or lead to an "at a 
world" cycle. Finally, stat = open indicates that the node is potentially satisfiable, 
but as it may be on a loop, this is something which we can determine only later as 
we backtrack towards the root. 

Definition 4.3 The partial function uev_L : Fml() x Fml(*) ^ N>o is the constant 
function that is undefined for all pairs of formulae: i.e. VV'i, V'2- uev_L('0i,'02) = -L- 
The partial functions tst : Fml ^ Fml and bl : Fml x 2^™^ ^ 2^™' are defined as: 



_L otherwise 



F if X G Fml(9;) 
otherwise. 



The function tst returns _L when the formula being tested is not a ()-formula, 
or is a ()-formula but its program is atomic. The function uev tracks unfulfilled 
eventualities, so uev^ flags that all eventualities are fulfilled, and uev(xi, X2) defined 
flags a potentially unfulfilled eventuality. If a node has stat = unsat or stat = 
barred then its uev is irrelevant so it is arbitrarily set to uev^. 
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4-1 The Rules 



We use r and A for sets of formulae and write 931 , ... , (/?„ , Ai , ... , A^ for the 
partition {<^i} W • • • tt) {^n} tt) Ai l+l • • • 1+) A^ of formulae in a node. To save space, we 
often omit histories /variables which are passed unchanged from parents/children to 
children/parents. Most rules are applicable only if some side-conditions hold, and 
most involve actions that change histories downwards or variables upwards. 

Terminal Rules. 

(r ::•••:: stat,uev) , ^_ a 1^ 1 

{id) {p, -ip} C r for some p G AFml 

Action for {id): stat := unsat and uev := uev_|_. 

// ^ X ((«*)'/'; r :: Nx,BD :: stat, uev) ^^ , , , . „ , , -^-^^ 

((*)2) -^^ — -^ ■ ■ Nx G {_L, (a*)v3} & (a*)c^ G BD 

Action for ((*)2): stat := barred and uev := uev_L. 

An id-node is clearly unsatisfiable. The principal formula of the (*)2-rule is 
unfulfillable because it causes an "at a world" cycle, so this rule terminates the 
current branch. Note both rules may be applicable to a node. 



Linear {ex) Rules. 

, , (w A^, r :: Nx:: uev) ,, ,, ([a U /31g9, T :: Nx :: uev) 

(A) -y- — p- — {- ([U]) ^^ ^^ ' 



{ip, ip, r :: Nx :: uevi) ^^ '^ {[a]ip, [P](p, T :: Nx :: uevi) 

([a;;3]V3, r::Nx::uev) ([a*]v9, T :: Nx,BB :: uev) 



{[a][(3]Lp, r :: Nx :: uevi) '^ " (Ti :: Nx, BBi :: uevi) 

Common Side Condition: Nx = _L. 

Common Action: uev(xi,X2) := uevi(xi,X2) if Xi ^ T else uev(xi,X2) := -L- 
Extra Action for ([*]): Fi := T if [a*]ip G BB else Ti := {if} U {[a][a*]99} U T, 

BBi := {[a*](p} U BB. 

Most rules are standard but for the histories since they just capture the transfor- 
mations in Table 1. The [*]-rule just deletes [a*](p if [a*]ip G BB since this indicates 
that it has already been expanded once "at this world" . Otherwise it captures the 
fix-point nature of [a*]ip via Prop. 2.6 and then puts [a*]ip into BBi. 

The next two rules have individual side-conditions and actions as shown. 
,, ,, {{a;/3)ip, r::Nx,BD::uev) ^, ^ . , / m t 



''"' {{a){f3)^, r::Nxi,BDi: 


: uevi) 


ions for ((; )): 




Nxi:=tst((a)(/3)^) 




uevi((a)(^)v3,X2) if Xi = (a;/3)¥' 


uev(xi,X2) : 


= " 


uevi(xi,X2) ifxier 


BDi:=bl((a)(/3)v.,BD) 




_L otherwise 
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.,,.. imv>, r::Nx,BDi::uev) ^ ^ .,,,,. . 

Actions for ((?)): 

Nxi:=tst(v?) uevi(v9,X2) ifxi = (^?)¥' 

uev(xi,X2):= < 
BDi:=bl(99,BD) 



uevi(xi,X2) if Xi G r 
± otherwise 



These rules just capture the transformations in Table 1 except for the histories. 
Their choice of principal formula is free if Nx = _L, but is restricted to the formula 
in Nx otherwise. If the decomposition x of the principal ()-formula is a (9;)-formula, 
we put Nxi of the child to be x to enforce that x is the principal formula of the 
child. The actions for uev ensure that uev(xi,X2)i where xi is the principal ()- 
formula, inherits its value from the corresponding ()-formulae in the child: e.g. 
uev((Q;; /?)(/?, X2) = uevi((Q;)(/3)(/7, X2) reverse-tracks the decomposition of {a;l3)ip 
into {a){(3)ip. Also, uev(xi,X2) is only defined if xi is in the parent. 



Universal Branching (/3) Rules. 

. s (v?i V ip2, r :: Nx :: stat,uev) Nx = _L 

{(fi, r :: Nx :: stati,uevi) | {ip2, T :: Nx :: stat2,uev2) 

(Pj) ([V^?]^,r::Nx:: Stat, uev) ^ ^^ ^ ^ 

[^ip, r :: Nx :: stati,uevi) | (</?, F :: Nx :: stat2,uev2) 

, uevj(xi,X2) if Xi £ r 
Action for (V) and ([?]) for i = 1,2: uev^(xi,X2) : = 

_L otherwise 

((aiU 02)93, r :: Nx, BD :: stat,uev) 
{{ai)ip, r :: Nxi,BDi :: stati,uevi) | {{02)^, T :: Nx2,BD2 :: stat2,uev2) 
Side-condition for ((U)): Nx € {-L, (ai U 02)^'} 
Action for ((U)) for i = 1,2: 

Nx,:=tst((a,)v9) f uev,((a,)(^, X2) if Xi = («i U 0.2)^ 

uev^(xi,X2):= < 
BBi:=h\{{ai)v,BB) 



uevi(xi,X2) ifxiSr 
_L otherwise 



{{a*)ip, r :: Nx, BD :: stat,uev) 

((*)i) 



(if, r :: Nxi,BDi :: stati,uevi) | {{a){a*)ip, T :: Nx2,BD2 :: stat2,uev2) 
Side-condition for ((*)i): Nx G {_L, {a*)ip} & {a*)ip ^ BD 
Action for ((*)i): 
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Nxi:=tst((^) 

uevi(xi,X2) 
BDi:=bl(v7, {(a*)V9}UBD) 

Nx2 :=tst [{a){a*)ip) 

uev2(xi,X2):^ 
BI)2:=hl {{a) {a*)ip,{{a*)ip} U BD) 



_L 

uevi(c^,X2) 

uevi(xi,X2) 

_L 



if Xi =X2 = («*)(/' 

if ;^i = (a*)(^ / X2 

if XI € r 

otherwise 



uev2((Q)(a*)(/9,X2) ifxi = (a*)v' 
uev2(xi,X2) if xi G r 

_L otherwise 



The (*)i-rule captures the fix-point nature of the (*)-formulae according to 
Prop. 2.6 as long as the principal formula is not blocked via BD. The choice of the 
principal formulae in the first child is either free if ip is not a ((^-formula or is y? if 99 
is a (9;)-formula. In the latter case we also block the regeneration of {a*)ip and thus 
avoid an "at a world" cycle by putting {a*)(p into BDi. The right child is treated 
similarly but uses {a){a*)<p instead of ip. 



Actions for all /3-rules: 



stat : = 



miiu(/,5)(Xi,X2) 



uev : 



unsat if stati = unsat & stat2 = unsat 
open if stati = open or stat2 = open 
barred otherwise 

-L if /(xi,X2) =-L or 5r(xi,X2) =-L 

min(/(xi,X2),5(Xi,X2)) otherwise 

uev_|_ 



uev 



if stat y^ open 

if stati = open ^ stat2 

uevg if stati 7^ open = stat2 

min^(uev'^,uev2) if stati = open = stat2 

The intuitions are: 

uev^ the definitions of uev^ ensure that the pairs (xi, X2)> where xi is the principal 
()-formula, get the values from their corresponding ()-formulae in the children. 
In the (*)i-rule, a special case sets the value of uevi(xi,X2) to _L if xi and X2 
are equal to the principal formula {a*)ip of this rule since the eventuality {a*)ip 
is no longer unfulfilled as the left child fulfils it. Note that uev'(xi,X2) is only 
defined if xi is in the parent. 

min_L: the definition of min_L ensures that we take the minimum of /(xi)X2) 
and 5'(xi;X2) only when both functions are defined for (xi)X2)- 

uev: if stat 7^ open, the uev is irrelevant, so we arbitrarily set it as undefined. If 
only one child has stat = open, we take its uev'. If both children have stat = 
open, we take the minimum value of entries that are defined in uev'^ and uevg. 
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All previous rules modify existing uev-entries, but never create new ones. The 
next rule is the only rule that creates uev-entries (by identifying loops). 

Existential Branching Rule. 

{ai)(pi,. . . ,{an)(Pn, {an+l)Vn+l,- ■ ■ ,{'^n+m)^n+m, [-]^, T 

:: HCr, Nx, BD, BB :: stat, uev 

(0) 

if I, Ai :: HCri,Nxi,BDi,BBi V9„, A„ :: HCr„,Nx„,BD„,BB„ 

::stati,uevi ::statn,uevn 

where: 

(1) n + m > 

(2) r C (AFml U{^q\qe AFml}) 

(3) [-]A C {[a]ij I a G APrg & V e Fml} 

(4) Ai := {^ I [a,]V E [-] A} for i = 1, . . . , n 

(5) Vp G AFml. {p, ^p} 1 r 

(6) Vi G {1, . . . , n}. Vi G {1, . . . , len(HCr)}. ((^„ {(^J U A,) / HCr[j] 

(7) VA: G {n + 1, . . . , 7i + m}. 3j G {1, . . . , len(HCr)}. (99^, {^u\ U A,.) = HCrb'] 

Actions for (0): for i = 1, . . . ,n : HCrj := HCr @ [(99^, {(^J U Aj)] , 

Nxi := tst((^i), BDi := 0, BB^ := 

unsat if 3i G {1, . . . , n}. statj 7^ open or 

(3-;/' G Fml(*). c^j G pre('(/') & 

± / uevi((^i,^) > len(HCr)) 
open otherwise 

uevfc(-,-):=i G {l,...,len(HCr)} such that (93^, {(^^1 U A^) = HCr[j] 
for /c = n + 1, . . . , n + 777. 



stat := < 



uev(xi,X2):= < 



uevi((^i, X2) if stat = open & X2 € Fml(*) & Xi ^ pre(x2) 

"^ Xi = {0-1)^1 for an 7 G {1, . . . , ?^ + 777} 
_L otherwise 

Some intuitions are in order: 

(1) If 71 = 0, the application of the rule generates no new nodes and stat vacuously 
evaluates to open. If tti = ri = 0, we additionally have uev := uev_L. 

(2) The set V contains only propositional atoms or their negations. 

(3) The set [— ]A contains only formulae of the type [a]ip. Thus (2) and (3) imply 
that the ()-rule is applicable only if the node contains no a- or /3-formulae. 
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(4) The set Aj contains all formulae that must belong to the i child, which ful- 
fils {ai)(pi, so that we can build a Hintikka structure later on. 

(5) The node must not contain a contradiction. 

(6) If n > 0, then each {ai)ipi for 1 < i < n is not "blocked" by an ancestor and 
has a child containing the formula set ifi U Aj thereby generating the required 
successor for {ai)(pi. Note that len(HCr) denotes the length of HCr. 

(7) If m > 0, then each {akj'-Pk for n + \ < k < n + m is "blocked" from creating its 
required child {ipk}U A^ because some ancestor does the job. This ancestor must 
not only consist of the formulae {(pk} U A^ but it must also have been created to 
fulfil {a)(pk for some a £ APrg. Note that the values a/j and a are ignored when 
looking for loops since we are interested only in the contents of the required child. 

HCrj: is the HCr of the parent extended with an extra entry to record the "history" 
of worlds created on the path from the root down to the i child using "@" as list 
concatenation. Note that we store a pair (ipf., (/j^U A^), not just ipf^UAf^. That is, 
we remember that the node c/jfcUA/t was created to fulfil {a)ipk for some a € APrg. 

stat: the parent is unsatisfiable if some child has stat ^ open. But it is also un- 
satisfiable if some child, say the i*^, and some eventuality {a*)x in it "loops 
lower" because tpi € pre((a*)x) and uevj((/9j, (a*)x) is defined and greater than 
the length of the current HCr. Intuitively, the latter tells us that the eventual- 
ity {a*)x occurs in the sub-tableau rooted at the parent but cannot be fulfilled. 

uevfc: for n + l < k < n + m, the k child is blocked by a higher (proxy) child. For 
every such k we set uevfc to be the constant function which maps every formula- 
pair to the level j of its proxy child. This is just a temporary function used to 
define uev as explained next. The blocking child itself must have been created to 
fulfil a ()-formula (a')c/?fc, as indicated by the first component of HCr[j]. 

uev(xi,X2): If stat = unsat then uev is undefined everywhere. Else, for each xi = 
{ai)ipi with i £ {l,...,n + m}, and each X2 with {ai)ipi S pre(x2)) we 
take uev((aj)(/9j,X2) from the formulae-pair (v?i,X2) of the corresponding (real) 
child if {ai)ipi is "unblocked", or set it to the level of the proxy child higher in 
the branch if it is "blocked" . For all other formulae-pairs, uev is undefined. The 
intuition is that a defined uev(xi,X2) flags a "loop" which starts at the parent 
and eventually "loops" up to some blocking proxy. The value of uev(xi, X2) tells 
us the level of the proxy because we cannot classify this "loop" as "good" or 
"bad" until we backtrack to that level. The uev of each {ai)ipi is taken from the 
child created specifically to contain (pi, a fact which is vital in the proofs. 

BDi,BBj,Nxj: each child has no blocked diamond- or box-formulae, and its princi- 
pal formula is determined by the form of ipi. 

The ()- and id-rules are mutually exclusive via their side-conditions. Our rules 
are designed so that at least one rule is applicable to any node. As shown in the 
next section, we need to build only one fully expanded tableau, hence if multiple 
rules are applicable to a node, the choice of rule is immaterial. Of course, in our 
implementation, we give priority to the id-rule since it may close a branch sooner. 
Other heuristics, like preferring linear rules over branching rules, are also useful. 
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J^.2 Termination, Soundness, and Completeness 

Definition 4.4 Let x = (T :: HCr,Nx, BD,BB :: stat,uev) be a tableau node, if a 
formula, and A a set of formulae. We write ip (z x [A C x] to mean 99 G F [ACT]. 
The parts of x are written as HCyx, Nx^;, BD^^, BB^;, stat^^, and uev^- Node x is 
closed iff statx = unsat, open iff stat^,. = open, and barred iff stat^ = barred. 

Definition 4.5 Let x be a ()-node in a tableau T (i.e. a ()-rule was applied to x). 
Then x is also called a state and the children of x are called core-nodes. Using the 
notation of the ()-rule, a formula {ai)ipi S x is blocked iSn+l<i<n + m. For 
every not blocked {aijipi S x, the successor of {ai)ipi is the i child of the ()-rule. 
For every blocked {ai)ipi G x there exists a unique core-node y on the path from the 
root of T to X such that {ipi} U Aj is the set of formulae of y, and y is the successor 
of a formula {a')ipi in the parent of y. We call y the virtual successor of {ai)ipi, and 
also call the formula ipi in the (possibly virtual) successor of {ai)fi a core-formula. 

A state is another term for a ()-node but a core-node can be any type of node 
(even a state). A state arises from a core-node by a- and /3-rules. Note that the 
core- formula in a core-node y is well-defined and unique: if xi and X2 are states and y 
is the (possibly virtual) successor of {ai)^i £ xi and (a2)<^2 € X2, then (/?i = (/32- 

Let (/) be a formula in negation normal form, and T an expanded tableau with 
root r = ({(/)} :: [],±,0,0 :: stat,uev) with stat and uev determined by r's children. 

Theorem 4.6 T is a finite tree. 

Theorem 4.7 // the root r G T is open, there is a Hintikka structure for (j). 

Theorem 4.8 // the root r ^T is not open then (j) is not satisfiable. 

Theorem 4.9 // \(j)\ = n, our procedure has worst-case time complexity in 0(j? ). 

The length of a branch in a tableau is bounded, essentially by the number of 
core-nodes on that branch. The number of core-nodes itself is bounded, essentially 
by the cardinality of the power set of the set cl((;(i) of all formula that can appear 
in the tableau. The size of cl(0) is polynomial in n, hence the length of a branch is 
in 0(2"). Thus the overall (worst case) number of nodes in a tableau is in 0(2^ ). 

^.3 Fully Worked Examples 

The first simple example illustrates how the procedure avoids infinite loops due to 
"at a world" cycles by blocking {oL*)ip- and [a*] 99- formulae from regenerating. The 
formula ((??)*) (p A -ip) is obviously not satisfiable. Hence, any expanded tableau 
with root {{q^-)*){p A ^p) should not be open. Figure 1 shows such a tableau where 
each node is classified as a p-node if rule p is applied to that node in the tableau. 

The initial formula (((/?)*) (j>/\^p) in node (1) is decomposed into a /9]^-child pA^p 
and a /32-child (q'?)((q'?)*)(p A -^p) according to the (*)i-rule. The formula p A ^p 
in node (2) is then decomposed according to the A-rule and node (3) is marked 
as closed because it contains a contradiction. Node (2) inherits the status from 
node (3) unchanged according to the ct-rules and, thus, is closed too. 
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(2) A-node 








(1) (*)i-node 
{{q?)*){pA^p) 






p A — ip 


~ /3, 




::[],±,0,0:: 


unsatjUevx 




::D,±,0,0::1 


jarred, uevj_ 




a. 

(3) 


id-node 




^1 

(4) (?)-node 

(g?)((g?)*)(pA-p) 


P , ^P 
:: [], -L,0,0 :: unsat,uev_|_ 




:: [], {q7){{q7)*){p A -p), {((g?)*)(p A -p)}, 

:: barred, uevx 

1 




a 

(5) 


(*)2-node 






<?, ((g?)*)(pA-p) 






::[],((g?)*)(pA-p),{((g?)*)(pA-p)},0 












:: barred, uev^ 





Fig. 1. A first example: a closed tableau for ((<??)*) (p A ^p) 



Because the /32-forinula (q?) (((??)*) (p A -ip) is a (9:)-formula, the (*)i-rule puts 
this formula into its Nx2, the Nx- value of node (4), and thus forces node (4) to 
have (g?) (((??)*) (p A -ip) as its principal formula. For the same reason, the (*)i-rule 
puts its own principal formula (((/?)*) (pA-ip) into its BD2, the BD-value of node (4). 
Hence node (4) decomposes (f7?)((f7?)*)(p A -ip) according to the (?)-rule. Again, 
the resulting node (5) is forced to have ((9?)*)(p A -ip) as its principal formula via 
its Nx- value, and gets its BD-value unchanged from node (4). 

Node (5) has the same principal formula as node (1), so applying the (*)i- 
rule to node (5) would cause the procedure to enter an "at a world" (infinite) cycle. 
Because the history BD of node (5) contains ((^?)*)(pA-ip), the (*)i-rule is blocked 
on node (5), but the (*)2-rule is not. Hence the branch is terminated and the status 
of node (5) is set to barred (thereby avoiding the "at a world" cycle). 

Node (4) inherits the status from node (5) unchanged and node (1) is marked 
barred also according to the definition of stat in the (3-iules. Therefore the tableau 
is not open. Note that the variable uev does not play a role in this example as it is 
irrelevant for nodes that are closed or barred. 

The second example demonstrates the role of uev. The formula [a*]p -^ [{a; a)*]p 
is valid. Hence, its negation <j) := [a*]p A ((a;a)*)-ip, which is already in nega- 
tion normal form, is unsatisfiable and the root of any expanded tableau for (p 
should not be open. Figure 2 shows such a tableau. The unlabelled edges in 
Fig. 2 link states to core-nodes. We omit the histories BD and BB as they do 
not play an important role in this example. Each partial function UEVi maps the 
formula-pair {il^i,Xi) ^^ Table 2 to 1 and is undefined otherwise as explained be- 
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Table 2 
Definitions for the example in Fig. 2 



UEVi 


i = 1 


i = 2 


i = 3 


i = 4 


i^i 


{a){a){{a-a)*)^p 


{a;a){{a;a)*)^p 


{{a;a)*)^p 


{a){{a;a)*)^p 


Xi 


{{a;a)*)^p 


{{a;a)*)^p 


{{a;a)*)^p 


{{a;a)*)^p 



low. The histories are HCRi := [(c/5i,Ai)] where (pi := {a){{a;a)*)^p and Ai := 
{[a*]p,{a){{a;a)*)^p} and HCR2 := ii'Ci?i@[((^2, A2)] where ip2 ■= {{a;a)*)^p 
and A2 := {[a*]p, ((a; a)*)^p}. 

The dotted frame at (7a) indicates that its child, an id-node, is not shown due to 
space restrictions. Thus the marking of the nodes (3a) and (7a) in Fig. 2 with unsat 
is straightforward. The leaf (9) is a ()-node, but it is "blocked" from creating its 
successor containing A := {[a*]p, (a) {{a; a)*)^p} because there is a j € N such that 
HCr9[j] = HCR2[j] = ((a)((a; a)*)-ip. A): namely j = 1. Thus the ()-rule computes 
UEVi{{a)ipi, {{a;a)*)^p) = 1 as stated above and also puts statg := open. As 
node (7a) is closed, nodes (8), (7b), (7), (6), and (5) inherit their functions UEVi 
from their open children via the corresponding a- and /3-rules. 

The crux of our method occurs at node (4), a ()-node with HCr4 = [] and 
hence len(HCr4) = 0. The ()-rule thus finds a child node (5) and a pair of formu- 
lae {ijjjx) •= (('3^)((fl; o)*)-ip, ((a; a)*)-ip) where V is a core-formula, ip G pre(x), 
and 1 = UEV4{'ip,x) = uev5(V',x) > len(HCr4) = 0. Thus node (4) "sees" a 
child (5) that "loops lower" , meaning that node (5) is the root of an "isolated" sub- 
tree which fails to fulfil its eventuality {{a;a)*)^p. The ()-rule marks (4) as closed 
via stat4 = unsat. The propagation of unsat to the root is simple. 

What if the omitted child of (7a), and hence (7a) itself, had been open? 
Then UEV3 in (7) would be undefined everywhere via the (*)i-rule, regard- 
less of uevyb. Thus {{a;a)*)^p in (7) would be fulfilled via the /3^-child (7a). 
Hence UEV/^ would be undefined everywhere, and node (4) would not be closed. 

5 Conclusion and Further Work 



We have given a sound, complete and terminating procedure for checking PDL- 
satisfiability. Unfortunately, its worst-case time-complexity is in 2EXPTIME rather 
than in EXPTIME, thus our procedure is sub-optimal. We now outline some further 
practical and theoretical work which may eliminate this disadvantage. 

First, we believe that a small refinement of our histories will allow our calculus 
to classify a loop as "bad" or "good" at the looping leaf, as is done by Baader's 
procedure [3], but with no pre-computation of automata. Thus it should be possible 
to extend DLP to handle our method. Further experimental work is required to 
determine if such an extension will remain practical. 

Second, recent work has shown that global caching can indeed deliver optimality 
of tableau procedures soundly [10]. The histories used in our calculus make it harder 
to extend sound global caching to it since nodes are now sensitive to their context 
in the tree under construction. Further theoretical work is required to extend sound 
global caching to handle such context sensitivity. 
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(1) A-node 

[a*]p A ((a; a)*)^p 
:: [], _L :: unsat,uev_L 



(3a) id-node 

P , [«] [a*]? , ^P 
:: [], _L :: unsat,uev_|_ 



(4) ()-node 

p, [a\[a*]p , {a){a){{a;a)*)^p 

:: [],_L :: unsat,uev_|_ 



(5) [*]-node 

[a*]p , {a){{a;a)*)^p 
::HCRi,± :: open, UEV^ 



(7a) [*]-node 

[a*]p , -^p 
:: HCR2,-\- :: unsat,uevx 



(8) [*]-node 

[a*]p , {a){a){{a;a)*)^p 
::HCR2,± :: open,UEVi 



Pi 



(2) [*]-node 

[a*\p , ((a;a)*)^p 
:: [], _L :: unsat,uev_L 



(3) (*)i-node 

V , [a][a*]p , {{a;a)*)^p 

:: [],_L :: unsat,uev_|_ 



(3b) (; )-node 

P , [a\[a*]p , {a;a){{a;a)*)^p 
:: [], (a; a) {{a; a)*)^p :: unsat,uev^ 



(6) ()-node 

P , [a\[a*]p , {a){{a;a)*)^p 

:: HCRi,± :: open, UEV^ 



(7) (*)i-node 

[a*]p , {{a;a)*)^p 
:: HCR2, {{a; a)*)^p :: open, UEV3 



(7b) (; )-node 

[a*]p , {a;a){{a;a)*)^p 
:: HCR2,{a;a){{a;a)*)^p :: open,UEV2 



(9) ()-nodc 

p, [a\[a*]p , {a){a){{a;a)*)^p 

:: HCR2,± :: open,UEVi 



blocked by node (5) 



Fig. 2. A second example: a closed tableau for [a*]p A ({a;a)*)—<p 
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Appendix: Termination, Soundness and Completeness 

Definition 5.1 Let G = {W^R) be a directed graph {e.g. a tableau where R is 
just the child-of relation between nodes). A path vr in G is a finite or infinite 
sequence xq,xi,X2, ... of nodes in W such that XiRxi^i for all Xi except the last 
node if vr is finite. 



Termination 

Theorem 4.6 T is a finite tree. 

Proof Sketch It is obvious that T is a tree and that every node in T can contain 
only formulae from the negation normal form analogue cl((/>) of the Fisher-Ladner 
closure [8]. The definition of cl(i;^) has been omitted to save space, but cl(i;^) is finite. 
Hence there are only a finite number of different sets that can be assigned to nodes, 
in particular core-nodes, and the number of pairs {ip, A) with (/? G A C c\{(j)) is 
finite. As each core-node is assigned such a pair and the ()-rule ensures core-nodes 
on a branch possess different pairs, the number of core-nodes on a branch is finite. 

It is not obvious that the number of nodes between consecutive core-nodes on 
a branch is finite since (a*)- and [a*]-formulae like (a * *)^p can "regenerate" on 
a branch without passing a core-node {e.g. {a * *)ip ~^ {a*) {a * *)ip ~^ (a * *)'^). 
However, it is relatively easy to see that formulae of the form {a*)ip or [a*](p are the 
only potential "troublemakers" between two states. For formulae of the form [a*]ip 
regeneration between two core-nodes is clearly ruled out by the history BB and the 
[*]-rule. For formulae of the form {a*)ip, the job is done by the history BD and 
the (*)i and (*)2-rules. In the latter case, it is crucial that the procedure chooses 
the decomposition of a principal (9;)-formula as the principal formula of the child, 
provided that the decomposition is also a ((^-formula. 

As the number of nodes between two core-nodes is finite, and there are only 
finitely many core-nodes on any branch, all branches in T are finite. Every node 
has finite degree so Konig's lemma completes the proof. □ 

Soundness 

Theorem 4.7 If the root r G T is open, there is a Hintikka structure for (j). 

Proof. By construction, T is a finite tree. Let Tp ("p" for pruned) be the subgraph 
that consists of all nodes x having the following property: there is a path of open 
nodes from r to x inclusive. The edges of Tp are exactly the edges of T that connect 
two nodes in Tp. Clearly, Tp is also a finite tree with root r. Intuitively, Tp is the 
result of pruning all subtrees of T that have a closed or barred root. 

Next, we extend Tp to a finite cyclic tree T\ ("1" for looping) by doing the 
following for every state x: for every formula (0)93 S x having a virtual successor y, 
which must lie on the path from r to x, we add the edge (x,y) to T\. Theses new 
edges are called backward edges. Note that as zd-nodes are closed by construction 
of T, all leaves of Tp must be states where all ()-formulae (if any) are blocked. Hence 
every formula {a)ip of every leaf has a virtual successor. 

Finally, following Ben-Ari et al. [4], the cyclic tree T\ is used to generate a 
structure H = (VF, i?, L) as described next. Let W be the set of all states of T\. 
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For every a € APrg and every s,t £ W, let s Rat iS s contains a formula (a)V' 
and there exists a path xq = s,xi, . . . , x^+i = i in Ti such that xi is the (possibly 
virtual) successor of {a)ip and each Xj, 1 < i < A: is an ct- or a /3-node. Thus state t 
is a "saturation" of xi using only a- and /3-rules. Note that sRat and sRi,t is 
possible for a ^ b, because two formulae {a)ip G s and {b)ip S s might have the 
same virtual successor: see point (7) of the ()-rule. It is also possible that s Rat 
and s RaU for t ^ u. 

If we consider the root r of Tj as a core- node for a moment, it is not hard to see 
that for every state s £ Ti there exists a unique core-node x £ Ti and a unique path vr 
of the form xq = x,xi, . . . ,Xk = s in Ti such that either A; = (and thus s = x) 
or k > and each Xi,0 < i < k — 1 is not a state. We set L{s) to be the union 
of all formulae of all nodes on vr. Intuitively, we form L{s) by adding back all the 
principal formulae of the a- and /3-rules which were applied to obtain s from x. 

It is almost straightforward to check that H is a pre-Hintikka structure for (j). 
There are only two things that deserve extra comments: Firstly, it is not possible 
that Ti contains a (*)2-node as it would be barred. Secondly, assume that y £ Ty 
is a [*]-node with principal formula [a*]ip and s is a state such that y lies on the 
path vr to s that defines the set L{s), which contains [«*]</', as described above. 
Then either (p and [a][Q;*](/J are contained in the child of y in Ti, or - as the first 
node a; on TT is a core-node with BB^ = - there exists another [*]-node on vr that 
also has [a*](/9 as principal formula and its child in Ti contains if and [a] [«*](/?. As 
the child of an a-node that lies on vr must lie on vr too, in both cases, there is a node 
on vr containing ip and [a][a*](/5. Thus ip and [a][a*]v3 are also contained in L{s). 

To show that H is even a Hintikka structure we use Lemma 5.2 to conclude H6 
as is shown next. 

Suppose {a*)ip £ L{s). If we also have ip £ L{s) then (s, (a*)c^), (s, c^) is a 
fulfilling chain for {ip,a*,s) and we are done. Otherwise, the finiteness of the 
tableau and the fact that H is a pre-Hintikka structure give us a sequence a = 
{s, ifo),... , (s, ipm) such that: 

• Pi £ pre((a*)(^) and pi £ L{s) for all < i < m 

• (po = {a*)(p and (pm = {(i)p' for some a £ APrg and p' £ Fml 
' ipi -^ (pi+i for all < i < 771 — 1. 

Applying Lemma 5.2 for the state s and the formula (pm = (a)'/'' gives us a 
sequence a' := (yoj V'o)! • • • > (j/nj V'n) with the properties stated in Lemma 5.2. 
Let yn, . . . , yn+m be an arbitrary path in Ti such that yn+m is a state. Next, we 
replace each ?/j,l < i < n in a' with the first state Sj that appears on the path 

?/«)••• 1 Un ) • • • ) yn+m ■ 

It is easy to check that the combined sequence a, a' is a fulfilling chain 
for (p, a*, s) in H if we contract all consecutive repetitions of pairs. This concludes 
the proof. □ 

Lemma 5.2 Let y £ T\ be a node and tp £ y a formula such that ip £ pre{{a*)p). 
There exists a finite sequence a' = {yo, ipo), . . . , (y„, ipn) of pairs with n > such 
that: 

• yo, . . . ,yn is a path in T\ 
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• Vi £ Ti, ipi G pre((/9), and ipi G yi for all < i < n 

• Ho = y, i^o = fp, i^n = '■P, cLnd tjji ^ if for all < i < n — 1 

• for all < i < n — 1, either ipi = V'i+i or: if ipi = {a)x for some a G APrg 
and X G Fml then yi is a state else ipi ~^ ipi+i ■ 

Proof. We inductively construct a' starting with (yO)V'o) '■= (2/)V')- Most of the 
required properties of a' follow directly from its construction and we leave it to the 
reader to check that they hold. 

Step 1 Let {yi,ipi) be the last pair of a' . We distinguish three cases: either yi is 
an a- or /3-node and ipi is not the principal formula in y^; or yi is an ex- or /3-node 
and Ipi is the principal formula in y,; or yi is a state. 

If yi is an a- or /3-node and ipi is not the principal formula in yi, we 
set ipi+i := Ipi and we choose yj+i to be a successor of yi in T\ such that 
neYy^{'^pi, {a*)(p) = uevy.^-^(^i+i, (a*)^). Note that such a yj+i always exists since 
the value of uevy. ('0j, {a*)(p) is determined by one of its open children during the 
construction of T and hence T\. But it does not have to be unique. We then repeat 
Step 1. 

If yi is an a- or /3-node and tpi is the principal formula in yi, we look at all 
pairs {x, x) such that x is a child of yi in Ti and ipi is decomposed into x ^ ^ 
and Ipi -^ X holds. By construction of T and hence Ti there is at least one open child 
such that the corresponding pair {x,x) obeys uevy^{ipi, {a*)ip) = ueVxiXi {(^*)V')- 
Let {yi+i,ipi+i) be such a pair. If ipi+i = (p we stop and return a'; otherwise we 
repeat Step 1. 

If yi is a state, it is not too hard to see that ipi must be of the form {a)x for 
some a G APrg and x ^ Fml. We set (yj_|_i,'0j+i) := {x,x) where x is the (possibly 
virtual) successor of ipi = {a)x and repeat Step 1. Note that if x is a non- virtual 
successor of ipi, we have uev^. (■0i, (a*)<^) = UG^yi+ii'4'i+iA'^*)^) by construction 
of T and hence T\. Also note that if x is a virtual successor of ipi then ipi-\-i = X is 
the core- formula of yj+i by construction of T and hence T\. 

The only way for Step 1 to terminate is by finding V^i+i = ^- It is not difficult 
to see that the resulting (finite) sequence a' fulfils all requirements and the proof 
is completed. Hence the rest of the proof shows that a' as constructed by Step 1 is 
finite. Step 1 maintains the following invariant: 

(t) For all appropriate i G N we have uevy^{1pi, {a*)(p) = uevy^^-^^{1pi+l, {a*)ip) un- 
less yi+i is the virtual successor of ipi € yi- 

In other words, the values of uevy.{ipi, {a*)ip) and uevj^.^^('0j_|_i, (a*)(^) can dif- 
fer only if (yi,yi+i) is a backward edge in T[. We distinguish two cases: ei- 
ther uevy^lipo, {a*)if) is undefined or it is defined. In both cases we show that 
the path yQ,yi, . . . can only have a finite number of backward edges. As every infi- 
nite path in T\ must use an infinite number of backward edges since T and Tp are 
finite trees, this proves that Step 1 terminates. 

Case 1. If uevyQ('0o, (ct*)(^) is undefined, the path yo, yi, . . . cannot contain a back- 
ward edge as shown next. Assume for a contradiction that yi with i > is the first 
node such that {yi, yi+i) is a backward edge. Since the initial neVy^lipQ, {a*)ip) was 

20 



Abate and Gore and Widmann 

undefined, by (f) we know that nevy^{^pi, {a*)(p) is undefined. But yi is a state and 
as V'i £ yj) whicli must be of tlie form {a)x for some a G APrg and x £ Fml, lias a 
virtual successor z, nevy^{ipi, {a*)ip) is defined to be the height of z by the applica- 
tion of the ()-rule to yi during the construction of the tableau. Thus uevy^ {ipi, {a*)if) 
is both defined and undefined, which is a contradiction. 

Case 2. If h := uevj^(,(^0) ("*)¥') is defined, the path yo,yi, . . . can only contain a 
finite number of backward edges as shown next. Let yi with i > be the first node 
such that (yj, yj+i) is a backward edge. If no such node exists, we are obviously done. 
Otherwise, we have uevy^{'ipi, {a*)ip) = hhy (f). This means by construction of the 
tableau that there exists a set A C Fml such that (V'i+i) {V'i+i} U A) = HCryJ/i]. 
Thus yj+i is the h core-node (child of a ()-node) on the path from the root r to yi 
in Ti and we have len(IICrj,.^j) = hhy construction of HCr. 

If uevy {ipi^i, {a*)f) had a value equal to or greater than h then the ()-rule 
would cause the parent of yi+i in T\ to be marked as closed since V'j+i is the core- 
formula of yi+i; but we know this is not the case. Hence uevy.^-^('i/'i+i, (a*)^) is 
either undefined or has a value h' that is strictly smaller than h. 

If uevy.^-^('0i+i, {a*)ip) is undefined, we can prove exactly as in Case 1 that the 
path yj4.i,yj_|_2, . . . cannot contain a backward edge. On the other hand, if h' := 
uevy.^-^('0j+i, {a*)(p) is defined, we can inductively repeat the arguments in Case 2 
for the sequence (yj+i, ^j+i), {yi+2,'ipi+2), ■ ■ ■ ■ The induction is well-defined because 
of h' < h, meaning that eventually this inductive argument must terminate because 
all such /i- values must be in N>o. □ 

Completeness 

Definition 5.3 Let M = {W, R, V) be a model, w & W a state and (p G Fml a 
formula of the form if = (ai) . . . {atjip for some k > Q and ai, . . . , a^ € Prg and ^ G 
Fml. A witness chain for (93, V', M, w) is a finite sequence (t(;o, V^o)) • • • ) {wnii^n) of 
world- formula pairs with n > such that: 

(1) Wi G W, ipi € pre('(/'), and M, Wi Ih V'i for all < i < n 

(2) wq = w, ipo = if, ipn = fp, and ^j 7^ -;/' for all < i < n — 1 

(3) \/i,j e {0,...,n}.i^ j => {wi,tl;i) ^ {wi+i,Tpi+i) 

(4) for all < i < n — 1, iiipi = {a)x for some a € APrg and x S Fml then V'i+i = X 
and Wi Ra tf^i+i; otherwise V'i ~^ '4'i+i and Wi = Wi+i. 

Proposition 5.4 In the setting of Def. 5.3, we have: 

(1) for every 1 < i < k there exists an m < n such that (u)o, V'o), ■ ■ ■ , iwm,'4'm) is 
a witness chain for (ip, (ai) . . . {ak)^, M, w) 

(2) if Ok = /3* for some (5 G Prg then ^n-i = (/3*)'0- 

Proposition 5.5 Let M = {W, R, V) be a model, w G W a state and ip G Fml 
a formula of the form if = (ai) . . . {ak)ip for some k > and ai, . . . ,0^ G Prg 
and i{j G Fml. If M,w Ih 93 then there exists a witness chain for {ip,ip,M,w). 

From now on, let F^ denote the set of formulae of a node y (z T. We say that a 
finite set of formulae F is satisfiable iff Ai^er ^ ^^ satisfiable. 
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Lemma 5.6 Let x G T with BD^ = and principal formula (p G Fnil(j^) of the 
form if = (ai) . . . {ak)ip for some k > and ai,. . . ,ak € Prg and tp € Fml\Fml(). 
Let M = {W,R,V) be a model and w £ W a world such that {M,w) satisfies Tx- 
Furthermore let a = {wo,^po), . . . , (wnjipn) be a witness chain for {ip, ip, M, w). Then 
there exists a finite path tt = zq,zi, . . . ,Zm in T with the following properties: 

(i) m <n, zq = X, BD^^ = 0, and the only state (if any) is Zm 

(a) Wi = w, ipi £ Zi, and (Af, w) satisfies F^. for all < i < m 

(Hi) ipi S Fnil(9^ is the principal formula of Zi for all < i < in — 1 

(iv) tpm = ip or tpm = («)x for some a € APrg and x G Fml. 

Proof. We inductively construct vr starting with zq = x, such that the following 
invariant holds: 

(d) m < n and for all < i < m: Wi = w and (M, w) satisfies F^. and tpi G Fml(9) 
is the principal formula of Zi . 

Note that (ft) holds for the initial path n = zq. Also note that if vr fulfils (ft) then 
no node on vr can be a state and and ipi S Zj for all < z < r?i. 

Step 2 Let Zm be the last node of vr. It cannot be an id-node because it is satis- 
fiable, nor a (*)2-node for the following reason: Assume that Zm were a (*)2-node. 
Then ■0m & BD^^ due to the (*)2-rule and there must be an ancestor node z of Zm 
in T which inserted V'm into the BD of its child such that V'm is contained in the BD 
of all nodes between z (exclusive) and Zm (inclusive). As BD^q = by assumption, 
the node z must lie on vr, i.e. z = z^' for some m' < m. Due to the tableau rules 
and the fact that z inserted ipm, the node z must be a (*)i-node with principal for- 
mula 0m; but that - together with ((j) - entails (w^'jipm') = {w-,i^m) = {wm-.i^m) 
which is not possible because o" is a witness chain. Hence Zm is a not a (*)2-node. 

Let Zm+i be the child of Zm. where il^m is decomposed into 0m+i- Such a child 
must exist because we have m < n and 0^ "^ 0™+! due to the definition of the 
witness chain a and the fact that ipm £ Fml((^). The same reasoning also gives 
nsw = Wm = Wm+i and M, w Ih ipm+i- Moreover, the set F^^ is satisfied by (M, w) 
by (ji) and F^^^^ = (F^^ \ {^m}) U {ipm+i} by construction of the tableau T. Hence 
the set F^^+i is satisfied by {M,w). 

Now we distinguish whether or not ipm+i is a ((^-formula. 

If V'm+i is a (^-formula, it must be the principal formula of Zm.+i due to the 
tableau rules and the fact that we have ipm £ Finl{(/). Moreover, we have m+1 < n 
because 0m+i 7^ = 0n and ip ^ Fml(). Thus our invariant (Jj) for vr extended 
by ipm+i still holds and we repeat Step 2. 

If ijjm+i is not a ((i)-formula, we have BDz^_^_^ = due to the tableau rules 
and the fact that ipm & Fml(j^). Furthermore, we have ipm = ip or ipm = {^)x 
for some a € APrg and x ^ F™1 because o" is a witness chain. Thus vr extended 
by 0m+i fulfils all the required properties of the lemma which concludes the proof 
in this case. 

As a is finite, Step 2 must terminate after a finite number of repetitions which 
means that we have found a path vr that proves this lemma. □ 
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Lemma 5.7 Let x ^T with BD^. = and M = (W, R, V) he a model and w ^W a 
world such that (M, w) satisfies Tx- Then there exists a finite path tt = zq,zi, . . . ,Zn 
in T with the following properties: zq = x, Zn is the only state on vr, and (M, w) 
satisfies F^. for all < i < n. 

Proof. We inductively construct vr starting with zq = x such that the fohowing 
invariant holds: 

(:|:) (M, w) satisfies Ty for every node y omr and the last node Zi of vr has BD^. = 0. 

Note that the initial ir = zq fulfils the invariant by assumption. 

Step 3 Let Zi be the last node of vr. If Zi is a state, we stop and return vr. Otherwise, 
we distinguish two cases: either the principal formula of Zi is not a ()-formula or it 
is a ()-formula. 

If the principal formula of zt is not a ()-formula, we choose Zj+i to be a successor 
of Zi in T such that {M,w) satisfies ^z^+i- The existence of Zj+i is guaranteed by 
Prop. 2.6, the fact that (M, w) satisfies P^. by {'\.), and the fact that Zi cannot be an 
id-node because Zi is satisfiable nor a (*)2-node because Zj's principal formula is not 
a ()-formula. As Zj's principal formula is not a ()-formula and BD^^ = by (:|:), we 
also have BD^.^-^ = by a simple inspection of the tableau rules. We then repeat 
Step 3. 

If the principal formula ip of Zi is a ()-formula, it is also a (/i)-formula be- 
cause Zi is not a state. Hence it must be of the form ip = (ai) . . . {ak)ip for 
some A; > and ai,...,ak € Prg and tp € Fml \ Fml(). As {M,w) satis- 
fies F^. by (X) and ip € F^., we have M,w Ih ip. Thus Prop. 5.5 gives us a se- 
quence a := (ziiQ, '^o), • • • 5 {wn, ipn) with the properties stated in Prop. 5.5. 

Next we apply Lemma 5.6 to Zi and obtain a path r with the properties of 
Lemma 5.6. Finally, the new vr is obtained from the old vr by appending r - minus 
the first node Zi which is already the last node of vr - to the old vr. As (M, w) 
satisfies Ty for all y on t and the last node y' on r has BD^/ = 0, the new vr 
fulfils (X). We then repeat Step 3. 

As T is finite, it is easy to see that Step 3 terminates, meaning that the last 
node Zn of the finite path vr is the only state on vr. □ 

Lemma 5.8 For every closed node x = {T ::■■■■.:■■■) in T, the set Tx is not 
satisfiable. In particular, if r is closed then (j) is not satisfiable. 

Proof. We use well-founded induction on the (strict) descendant relation of T. 
As T is a finite tree, the descendant relation is clearly well-founded. Thus we can 
use the following induction hypothesis for every node x G T: 

IH: for every descendant y of x, if y is closed then the set Fj^ is not satisfiable. 

If a leaf x S T is closed, it must be an id-node as a state with no children 
is always open. Hence, our theorem follows from the fact that {p, ^p} C x for 
some p € AFml. Note that this can be seen as the base case of the induction as 
leaves do not have descendants. 

If X is a closed Q-node then its child must be closed as well so we can apply 
the induction hypothesis and the claim follows from the fact that - in the sense of 
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Table 1 - the formulae of the form ex ^^ cxi /\cx2 are valid (Prop. 2.6). 

If a; is a closed /3-node then both children are closed as well so we can apply 
the induction hypothesis and the claim follows from the fact that - in the sense of 
Table 1 - the formulae of the form /3 ■s-^ /3i V /32 are valid (Prop. 2.6). Note that x 
cannot be a (*)2-node as it would not be closed in this case. 

If X is a closed ()-node {i.e. a closed state) then it has at least one child and 
there are three possibilities for why it was marked as closed by the ()-rule: 

(1) Some child xq of x is closed. 

(2) Some child xo of x is barred. 

(3) Some open child xq of x with core-formula (/? has neYxo{^-,{ot*)il)) > h := 
len(IICr2;) for some a G Prg and if: € Fml with ip G pre((a*)'0). 

Case 1. In the first case, it is not too hard to see that the satisfiability of T^ implies 
the satisfiability of Txq since the ()-rule preserves satisfiability from parent to child. 
By the induction hypothesis, we know that Txq is not satisfiable, therefore T^ cannot 
be satisfiable either. 

Case 2. In the second case, we assume that Txq is satisfiable and derive a contra- 
diction. We can then prove the claim as in the first case. 

So, for a contradiction, let M = (W, R, V) be a model and w ^W a. world such 
that {M,w) satisfies Txg. As BD^:^ = by the ()-rule, we can apply Lemma 5.7 
which gives us a path vr in T with the properties stated in Lemma 5.7. Let y be the 
last node of vr, hence y is a state. It is a descendant of xq, therefore the induction 
hypothesis applies to it. By Lemma 5.7, {M,w) satisfies Ty, hence y cannot be 
closed; but this means that y must be open as states can only be closed or open by 
the ()-rule. It is now easy to see that all nodes on vr must also be open due to the 
construction of the variable stat in the a- and /3-rules. But this is a contradiction 
to the assumption that xq, which is the first node on vr, is barred. 
Case 3. In the third case, we assume that T^q is satisfiable and derive a contradic- 
tion. We can then prove the claim as in the first case. 

So, for a contradiction, let M = {W, R, V) be a model and w £ W a world 
such that (M,w) satisfies T^q- In particular, we have M,w Ih cp by assumption 
since ip € xq. As ip G pre((a*)'(/'), it is of the form ip = (ai) . . . (ak-i) {a*)ip for 
some ai, . . . , Ok-i G Prg. Furthermore, let ip be of the form ip = (afc+i) . . . {ak+i)ip' 
for some a^+i, ■ ■ ■ , ctk+l G Prg and tp' G Fml \ Fml(). Note that / = is possible: 
in this case we already have ip G Fml \ Fml(). 

Applying Prop. 5.5 to M and (p = (ai) . . . {ak+i)ip' with Ok := a* gives us a 
witness chain a = {wo,ipo), . . . ,{wn,ipn) for {ip,ip' ,M,w). According to Prop 5.4, 
there exists an n' < n with ip^' = ip = {ok+i) ■ ■ ■ {ak+i)ip' and Vn'-i = {a*)ip. 
Our plan is to "walk down" the tableau T - starting from xq - in a way that is 
"consistent" with a which will lead to a contradiction when we "reach" ipn'- 

As BDj-g = by the ()-rule, we can apply Lemma 5.6 which gives as a path vri = 
zq, zi, . . . , Zm in T with the properties stated in Lemma 5.6. We can then apply 
Lemma 5.7 to Zm which gives us a path tt2 with the properties stated in Lemma 5.7. 
Let s be the last node of 7r2, hence s is a state. It is a descendant of xq, therefore 
the induction hypothesis applies to it. Thus s cannot be closed because (M, w) 
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satisfies Tg by Lemma 5.7; but this means that s must be open as states can only be 
closed or open by the ()-rule. If we join tti and 112 to obtain vr, it is now easy to see 
that all nodes on vr must also be open due to the construction of the variable stat 
in the a- and /3-rules. 

By assumption we have ueVxo{<f, {a*)^p) > h. As all nodes on vri are open 
and ipi € Fml(^) is the principal formula of Zi for all < i < m — 1, we also 
have uevzi{ipi, {a*)ip) > h for all < i < m, — 1 by definition of the a- and /3-rules. 
We now distinguish whether or not n' < m. 

If n' < 7T1 then we have uev2^,_^((a*)'0, (a*)^') > h as ipn'-i = {a*)ip\ but 
as {a*)ij) is the principal formula of ^^n'-i) this is only possible if the first child 
of ^^n'-ii which is Zn' as tpn' = "0 by definition of ^„/, is not open according to the 
construction of uev in the (*)i-rule. This, however, is a contradiction to the fact 
that all nodes on vri, in particular Zn'-, are open. 

If n' > m, we must have ■0m = {o)x for some a G APrg and x ^ Fi^l &s ipm = V^' 
is clearly not possible. Furthermore, we have uev^^((a)x, (a*)V') > hhy definition 
of the a- and /3-rules. As ipm is the first node on 7r2 and all nodes on 1^2 are 
open, we also have uevjy((a)x, (a*)V') > h for all nodes y on 7r2 by definition of 
the a- and /3-rules. In particular, we have VL.eVg{{a)x, {a*)'ilj) > h. Let xi be 
the (possibly virtual) successor of {a)x ^ s, that contains Vm+i = X- Then a' := 
(-Wm+i, V'm+i), • • • , {wni^n) is clearly a witness chain for (-0m+i, "0', M, Wm+i) which 
is strictly shorter than a and still contains ipn' and V'n'-i- Note that n' > m + 1 
as 0m = {(^)x 7^ {a*)^. Additionally, we make the following two claims: 

(1) ueva;^(0m+i5 (a*)'0) > h and xi is a descendant of xq (i.e. the induction 
hypothesis holds in the subtree rooted at xi). 

(2) {M,Wm+i) satisfies Txi- 

Before we prove the two claims, we show their consequences: Basically, the two 
claims and the properties of a' allow us to inductively repeat the proof for xi, 
Wjn+i, 0m+i) and a' instead of xq, w, ip, and a, respectively. As a' is strictly shorter 
than (T, this is possible only a finite number of times. Hence we must eventually 
end up in the case "n' < m'" of the proof that yields a contradiction. Therefore the 
only thing left is to show that the two claims hold. 
Claim 1. We distinguish whether xi is a virtual successor of {a)x € s or not. 

If xi is not virtual, that is it is a child of s in T, it is obviously a descendant 
of Xq as every node - in particular s - on vr is a descendant of xq. Furthermore, it 
follows directly from uevs{{a)x, (a*)0) > h and ipm+i = X and the definition of the 
()-rule that \xeYxi{'4^m+i-, {a*)ip) > h. 

If xi is a virtual successor, a glance at the definition of uev^ in the ()-rule 
reveals that xi must lie on the path from xq to s (it could be xq) as we have 
uevs((a)x, (a*)0) > h and h = len(IICr2,). Thus xi is a descendant of x and 
has MeWxoiXi {a*)ip) > h as we have already established this on our way from xq 
down to s. 

Claim 2. By definition of the ()-rule, F^;^ is of the form V'm+i U A where [a]A C 
Fg. We know M^Wm+i ll~ ^m+i because of the properties of a. We also know 
that {M,Wm) in particular satisfies [a] A since we have established that F^ ^ [a] A is 
satisfied by (M, w) and w = Wm- As Wm+i is a successor world oiw{i.e.w Ra Wm+i)-, 
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this implies that {M,Wm+i) satisfies A, and hence F^^. □ 

Theorem 4.8 If the root r ^T is not open then (j) is not satisfiahle. 

Proof. If r is closed, the claim follows directly from Lemma 5.8. If r is barred, we 
assume that V^q is satisfiable and derive a contradiction. 

So, for a contradiction, let M = (VF, /?, V) be a model and w ^ W a world 
such that (M, w) satisfies T^ = (j). As BD^ = by construction of T, we can apply 
Lemma 5.7 which gives us a path vr with the properties stated in Lemma 5.7. Let y 
be the last node of tt, hence y is a state. It cannot be closed because of Lemma 5.8 
and the fact that {M,w) satisfies F^; but this means that y must be open as states 
can only be closed or open by construction. It is easy to see that all nodes on vr 
must also be open due to the construction of the variable stat in the a- and /3-rules. 
But this is a contradiction to the assumption that r, which is the first node on vr, 
is barred. □ 



26 



